Android Into A SpyPhone
LAS VEGAS — All a relatively skilled hacker needs to do to turn an Android smartphone into a powerful surveillance machine — a so-called SpyPhone — is to copy and paste some malicious code into an innocuous-looking app like Angry Birds, and then get the phone owner to install it.
Once that's done, he will be able to surreptitiously track the phone's location, read texts, emails, take pictures, record video or audio, and monitor pretty much everything the phone does. In other words, the hacker now has full remote control of the phone.
That's what Kevin McNamee, Director of Kindsight Security Labs, showed step by step during a talk at the Black Hat security conference on Wednesday.
SpyPhone software — or monitoring malware — is nothing new. Apart from commercial and legal applications that let a mother monitor what her kids are doing, there are also more questionable ones. Nations use SpyPhone malware as a cyber espionage tool to spy on their adversaries through apps that contain trojan viruses. That's what happened to Tibetan activists, for example, as Mashable reported in March.
But it's not only far-away activists that should be worried.
According to a survey that sampled 500,000 mobile phone subscribers, 1 in 800 was infected by SpyPhone malware. Some of the results of the survey, made by Lacoon Mobile Security in partnership with a global cellular provider, were presented (.PDF) at a separate Black Hat talk.
"People don't yet realize the potential impact that mobile malware can have," McNammee told Mashable.
McNamee created his SpyPhone software precisely to show how powerful mobile malware can be — and how easy it is to create and distribute. He said it only took him and his colleagues two weeks to write the code, because they used standard and widely available Android APIs. In fact, his SpyPhone software doesn't take advantage of any exploits or vulnerabilities, and doesn't actually need to compromise the phone in any special way.
What McNamee and his colleagues have done was write code that can be injected into any existing app, be it Angry Birds, Facebook or any app available on the Google Play store. The code makes the app access all the functionalities that hackers would need to spy on a victim. At that point, a malicious hacker would just have to repackage the app and put in the wild.
What's most dangerous about this kind of SpyPhone malware is that, once the app is installed, the user will never know he's being spied on — he has no way of knowing. He'll happily keep slinging birds while somebody secretly monitors him. And, being developed as an Android "service," the malware keeps running even when the app is closed.
"We can take our spyware stuff and then we copy and paste it in there, drop it in, and then we repackage the whole thing up," McNamme said. "From the user's perspective, it looks and behaves exactly like the original application, there is no evidence that it's been tampered with."
The user might find out something weird is going on if he takes a look at the unusual permissions — like access contacts, use the camera — that the app requests when installing it.
The other catch is that the best way of getting the app on somebody's phone is to actually have the user install an Android Application Package file (.apk) outside of the Google Play store. It's harder to push the covert SpyPhone app through official channels. Google would detect that somebody who is not the actual author of the software is distributing an Angry Birds app, although it's not impossible to get the SpyPhone malware on Google Play.
McNamee thinks that by putting a brand new app online — instead of injecting malware into another one — they could get past Google's monitoring technology. And experts in the field agree that the risk is real.
"The Google Apps Store has not had an impressive track record of keeping malicious applications out," Kurt Baumgartner, a senior security researcher at Kaspersky Labs told Mashable. Baumgartner called Google's model of screening malicious apps "broken."
"The model seems to be 'well, we will let a certain number of users and infections get through – that's acceptable.' And eventually it gets cleaned up," he said.
And even without going through Google Play, there are still ways to get the malware out there.
In some countries, Baumgartner explained, activists and other phone users are advised not to use official channels like Google Play for fears of them being monitored, so they are used to installing apps downloaded from third party app stores or received via email.
That also opens up an opportunity to attack users via spear-phishing attacks. That kind of attack worked with some activists in Tibet, who were tricked into downloading a compromised version of a messaging app called Kakao Talk, which was then used to spy on them.
The way users can avoid turning their Android phone into a spy machine is to be careful what apps they install, where they install them from, and whether they've been installed by many people.
Both McNamee and Baumgartner agree in advising against downloading apps from third party sites. Also, it's important to review the permissions that an app requests, and see if there's something weird in there. Why would Angry Birds need to record video?
Ultimately, though, the problem is that today's smartphones, in a way, are designed to monitor their owner's activities, so it's inevitable that hackers can leverage that.